mc_geo, mc_currency) — those stay on so prices display correctly. Analytics + marketing cookies are off until you accept. See the privacy policy for the full list. Mercentia's standard DPA — the contract that sits between the merchant (Controller) and Mercentia (Processor) for personal data processed on the platform. This is the same document for every merchant; it's published here so you can read it before signing up.
Last updated · May 2026
Controller: the merchant — the legal entity that signs up for a Mercentia account and determines the purposes and means of processing end-customer personal data.
Processor: Mercentia Ltd, registered in England & Wales. Mercentia processes personal data on behalf of the Controller in the course of providing the platform described in the Terms of Service.
This DPA applies to processing of personal data:
Controller acts as Controller; Mercentia acts as Processor. For Mercentia's own purposes (account administration, billing, security, fraud) Mercentia is the independent Controller.
Mercentia processes personal data only on documented instructions from the Controller — primarily the Terms of Service, the Controller's configuration of the dashboard, and the Controller's API calls. Anything outside that is unauthorised processing unless EU or UK law requires otherwise, in which case Mercentia informs the Controller before processing unless the law prohibits the notice.
Detailed on the Security page. Summary:
Current list on the Privacy page. Controller grants general authorisation for Mercentia to engage sub-processors from that list. We give 30 days' written notice before adding a new sub-processor. If you object on reasonable data-protection grounds, you may terminate the affected service.
Mercentia assists the Controller in responding to data-subject requests (access, correction, erasure, restriction, portability, objection) via the dashboard's privacy tools and the /api/v1/gdpr/* endpoints — export, erase, consent updates, summary. We respond to Controller's assistance requests within 7 calendar days at no additional charge.
Mercentia is operated from the UK. Where personal data is transferred to sub-processors outside the UK / EU, the transfer relies on:
Supplementary measures (encryption, pseudonymisation, transparency reports from the recipient) are applied as required by the Schrems II guidance.
Mercentia notifies the Controller without undue delay — and in any event within 72 hours — of becoming aware of a personal-data breach affecting the Controller's data. The notification includes nature of the breach, categories and approximate numbers of data subjects and records, likely consequences, and the measures taken or proposed.
Mercentia makes available all information necessary to demonstrate compliance with this DPA. Once per 12 months, on 30 days' written notice, the Controller (or its independent auditor under NDA) may audit Mercentia's processing during normal business hours, at the Controller's expense. Audits cannot disrupt platform operations or other Controllers' data.
SOC 2 reports (once available) and the PCI SAQ A self-attestation are accepted as sufficient evidence in lieu of an on-site audit where the scope matches.
On termination of the Terms of Service, the Controller has 30 days to export personal data via the dashboard or the API. After that period Mercentia deletes or anonymises personal data, except where retention is required by law (tax, anti-money-laundering, audit). Backups age out within 30 days.
Every paid Mercentia account is covered by this DPA — accepting the Terms of Service incorporates it by reference. For merchants who require a countersigned copy for procurement records, email [email protected] and we'll return a signed PDF within 5 business days.